Extend context using the command line - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-05-06
Last date published
2024-07-12
Category
Administrator Guide
Abstract

Extend context to retrieve additional data from integrations or commands and map to fields. Extend context from the Cortex XSIAM CLI.

You can extend context either in a playbook task or directly from the Incident/Alert War Room command line. Whichever method you use, recommends that you first run your command with the raw-response=true flag. This will help you identify the information that you want to add to your extended data.

  1. Run your command with the extend-context flag !<commandName> <argumentName> <value>extend-context=contextKey=JsonOutputPath.

    For example, to add the user and manager fields to context use the ad-get-user command, as follows:

    !ad-get-user=${user.manager.username} extend-context=manager=attributes.manager::attributes=displayName

  2. To output only the values that you set as Extend context, run the command with the ignore-ouput flag=true. !ad-get-user=${user.manager.username} extend-context=manager=attributes.manager::attributes=displayName ignore-output=true

    Example

    By default, after adding an IBM Qradar v3 integration instance, offenses pulled from QRadar to Cortex XSIAM returns numerous fields, including event_count, device_count,offense_type, description, etc. You can use extend context to show, which additional information is available. You can also use that information to map it to a field in Cortex XSIAM.

    • Run the command !qradar-offenses-list raw-response="true". From the context data, you should see that there are a number of fields that are returned.

    • Identify the fields that you want to view and run your command. For example, to retrieve the number of devices affected by a given offense, as well as the domain in which those devices reside, run the following command:

      !qradar-offences-list extend-context=device-count=device_count::domain_id=domain_id